Exploitation of computing devices is an ever increasing problem in today's mobile workforce environment, particularly in an environment where mobile devices are increasingly being used for both work and personal activities. Further, efficient and timely detection of exploited devices is commonly masked, due to various exploitation masking utilities and masking functionality of unauthorized applications present on the exploited device, thereby making management of application installed on mobile devices critically important for modern businesses.
Traditionally, an administrator approves of applications installed on desktop computers by means of an application whitelist or blacklist. At the time of enforcement or authorization for applications with respect to the desktop computer device, onboard/local memory and associated local processors of the desktop computer are involved using a copy of the blacklist and/or whitelist itself residing in the local memory of the desktop computer. As such, the blacklist and/or whitelist list is stored and interrogated locally when a comparison is done against desktop installed applications to determine whether an application is approved or not.
Also, the application of heuristics scanning can be used on desktop computers to discover malwares. In terms of whitelists usage, the application whitelist is distributed to desktop devices that are being administered and then stored in local memory of the desktop device. This model has worked well on desktop computers because business-dedicated desktop machines do not need extensive whitelists because the number of approved applications for the typical business enterprise can be limited and controlled. Further, business-dedicated desktop machines in an enterprise can be characterized by the lack of variations, thus there is no need to keep track of per desktop device application blacklist/whitelist. Further, desktop computers have the computation power, local storage capacity, network bandwidth and power capacity (e.g. line power) to perform application authorization by means of application whitelists/blacklists. However, in the case of mobile devices, the ability to use extensive and comprehensive application whitelist/blacklists can be limited by battery life, computational power, local storage capacity, and metered mobile network bandwidth.
In terms of heuristics scanning, business enterprises make use of heuristics scanning for desktop computers, as there can be many variations of malwares making heuristics scanning necessary. In this regard, desktop computers have the computation power, network bandwidth and battery capacity to perform heuristics scanning. Desktop computers also usually are equipped with unmetered network bandwidth and sufficient local storage capacity to make use of long and extensive application whitelists/blacklists when necessary.
However, the same model for heuristics scanning and application whitelists/blacklists does not work well for monitoring application installation on mobile devices, such as smart phones, because these mobile devices are not business-dedicated devices, i.e. are used for both personal and business activities, thereby making the monitoring and approval of a large number of non-business applications necessary. In particular, these non-business-dedicated mobile devices, as a group of devices managed by a central enterprise, can have an extreme degree of variation in terms of what applications are installed on what mobile device, thereby making it a challenge to keep track of individual application blacklists and whitelists associated with individual mobile devices.
In theory, the existence of official, canonical sources for easily enumerable applications can it make an application whitelist/blacklist model substantially attractive for mobile devices, rather than heuristic scanning, due to the lack of proliferation of many unknown variations of malwares. Also, the need to disapprove non-infected software in some organizations means heuristics scanning would simply not work in these cases. However, the ability to perform heuristic scans and the use of complete and extensive individual device application whitelist/blacklists are disadvantageous for collections of mobile devices due to limited battery life, limited onboard mobile device computational power, limited onboard mobile device storage, and mobile device metered bandwidth limits and costs for mobile network data usage. Further, frequent updates of mobile applications also renders frequent transfers of application blacklists and whitelists to individual mobile devices impractical.
Further, it is recognized that in the event of an exploited status (e.g. having the installation of a restricted application) of a mobile device in communication with one network service, other independent network services may not be aware of this exploited status (e.g. may not be able to detect or identify the exploited status via their network communications with the errant mobile device) and may therefore put the security of their enterprise data at risk. As such, local enforcements on the mobile device can be bypassed or the whitelist/blacklist can become adversely exposed if the device has undergone a privilege escalation attack (e.g. jailbreaking, rooting), this can be regardless whether the device is a traditional computer or a handheld device such as a mobile phone. However, this aspect is of particular importance for handheld devices due to the popularity of such attacks among even ordinary users in the BYOD (Bring Your Own Device) scenario.
It is also recognized that mobile devices may not be always have stable network connections, and thus may not be connected to the untrusted networks (e.g. WiFi hotspot, hostile 3G network). Further, a difference between desktop computers vs mobile devices is that desktop computers typically reside behind a firewall and thus network-based solutions using locally stored (at the desktop device storage) lists can be deployed to catch unauthorized downloads. The same is not possible for mobile devices as can not protected by firewalls.